1. Technical Field
The present disclosure relates to information security, and more specifically to protecting authentication information of other user applications when access to a user's email account is compromised.
2. Related Art
Electronic mail (Email) is used for asynchronous communication between users. Each user uses a client system with an appropriate software to compose and send email messages to various recipients of interest at times convenient to the sending user. Each recipient (user) has an associated email server, which provides access to all the email messages received for the corresponding recipient at a time convenient for the recipient.
Each email server typically serves several users, and each user is accordingly said to have an account with the email server. Each account is uniquely identified by a user name within a domain served by the email server. In combination with a domain identifier, the user is uniquely identified globally for any sender to send an email to the user as the corresponding recipient. For example, an email identifier of goodbeing@gmail.com globally identifies the corresponding user, with gmail.com representing the domain name identifier and good being representing the user name within the domain.
Email accounts are often used by users in managing authentication information for several user applications provided by other parties. In a typical use case, a user with an online account with Citibank may specify goodbeing@gmail.com as being a related email account, and the Citibank servers may thereafter use that account in managing authentication information for accessing the Citibank servers. For example, if a user wishes to reset the authentication information (for accessing user information on Citibank servers), the Citibank servers may send an email to goodbeing@gmail.com that facilitates the authentication information (e.g., password) to be reset. Alternatively, some authentication servers send the then existing password for the user to that email identifier.
Thus, associating email accounts with user applications provides the convenience of managing the authentication information (in addition to possibly sharing of monthly account statements, etc.), which is legitimately required in several situations, particularly given that a user may forget (or otherwise irretrievably misplace) the authentication information.
There are often situations in which a user's email account is compromised. A compromise is said to occur when an unknown party can control a user's session, without the user's permission or knowledge. Typical situations in which such a compromise can occur include a hacker somehow deciphering the user identifier/password combination, by stealing cookies related to valid sessions a user had earlier properly setup, user forgetting to logout of a public terminal and the hacker thereafter continuing using the session from such a terminal, etc.
While having email accounts specified associated with user application serves several legitimate requirements as noted above, such association can be problematic when a user's email account is compromised. For example, a hacker who is in control (without the user the knowledge or permission) of the email account may be able to easily ascertain the account identifiers at various user applications (e.g., accounts at other banks, brokerages, travel web sites, etc.) using the various logs maintained at the email account, and attempt to change/ascertain the authentication information of such user applications.
It is therefore desirable that the authentication information (of users) enabling access to user applications be protected at least in some of the situations noted above.
In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the leftmost digit(s) in the corresponding reference number.